improved RBAC generators #26
@ -14,7 +14,7 @@ import java.io.IOException;
|
|||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
|
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
|
||||||
@ -51,7 +51,7 @@ public class TestDomainEntity implements HasUuid {
|
|||||||
.importEntityAlias("package", TestPackageEntity.class,
|
.importEntityAlias("package", TestPackageEntity.class,
|
||||||
dependsOnColumn("packageUuid"),
|
dependsOnColumn("packageUuid"),
|
||||||
directlyFetchedByDependsOnColumn(),
|
directlyFetchedByDependsOnColumn(),
|
||||||
NULLABLE)
|
NOT_NULL)
|
||||||
.toRole("package", ADMIN).grantPermission(INSERT)
|
.toRole("package", ADMIN).grantPermission(INSERT)
|
||||||
|
|
||||||
.createRole(OWNER, (with) -> {
|
.createRole(OWNER, (with) -> {
|
||||||
|
@ -36,6 +36,8 @@ begin
|
|||||||
call enterTriggerForObjectUuid(NEW.uuid);
|
call enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
SELECT * FROM test_package WHERE uuid = NEW.packageUuid INTO newPackage;
|
SELECT * FROM test_package WHERE uuid = NEW.packageUuid INTO newPackage;
|
||||||
|
assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s', NEW.packageUuid);
|
||||||
|
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
testDomainOwner(NEW),
|
testDomainOwner(NEW),
|
||||||
@ -87,12 +89,37 @@ create or replace procedure updateRbacRulesForTestDomain(
|
|||||||
NEW test_domain
|
NEW test_domain
|
||||||
)
|
)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
|
||||||
|
|
||||||
if NEW.packageUuid is distinct from OLD.packageUuid then
|
declare
|
||||||
delete from rbacgrants g where g.grantedbytriggerof = OLD.uuid;
|
oldPackage test_package;
|
||||||
call buildRbacSystemForTestDomain(NEW);
|
newPackage test_package;
|
||||||
|
|
||||||
|
begin
|
||||||
|
call enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
|
SELECT * FROM test_package WHERE uuid = OLD.packageUuid INTO oldPackage;
|
||||||
|
assert oldPackage.uuid is not null, format('oldPackage must not be null for OLD.packageUuid = %s', OLD.packageUuid);
|
||||||
|
|
||||||
|
SELECT * FROM test_package WHERE uuid = NEW.packageUuid INTO newPackage;
|
||||||
|
assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s', NEW.packageUuid);
|
||||||
|
|
||||||
|
|
||||||
|
if NEW.packageUuid <> OLD.packageUuid then
|
||||||
|
|
||||||
|
call revokePermissionFromRole(getPermissionId(OLD.uuid, 'INSERT'), testPackageAdmin(oldPackage));
|
||||||
|
|
||||||
|
call revokeRoleFromRole(testDomainOwner(OLD), testPackageAdmin(oldPackage));
|
||||||
|
call grantRoleToRole(testDomainOwner(NEW), testPackageAdmin(newPackage));
|
||||||
|
|
||||||
|
call revokeRoleFromRole(testPackageTenant(oldPackage), testDomainOwner(OLD));
|
||||||
|
call grantRoleToRole(testPackageTenant(newPackage), testDomainOwner(NEW));
|
||||||
|
|
||||||
|
call revokeRoleFromRole(testPackageTenant(oldPackage), testDomainAdmin(OLD));
|
||||||
|
call grantRoleToRole(testPackageTenant(newPackage), testDomainAdmin(NEW));
|
||||||
|
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
|
call leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -54,8 +54,8 @@ begin
|
|||||||
hsOfficeRelationAdmin(NEW),
|
hsOfficeRelationAdmin(NEW),
|
||||||
permissions => array['UPDATE'],
|
permissions => array['UPDATE'],
|
||||||
incomingSuperRoles => array[
|
incomingSuperRoles => array[
|
||||||
hsOfficeRelationOwner(NEW),
|
hsOfficePersonAdmin(newAnchorPerson),
|
||||||
hsOfficePersonAdmin(newAnchorPerson)]
|
hsOfficeRelationOwner(NEW)]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
@ -74,8 +74,8 @@ begin
|
|||||||
hsOfficePersonAdmin(newHolderPerson)],
|
hsOfficePersonAdmin(newHolderPerson)],
|
||||||
outgoingSubRoles => array[
|
outgoingSubRoles => array[
|
||||||
hsOfficePersonReferrer(newAnchorPerson),
|
hsOfficePersonReferrer(newAnchorPerson),
|
||||||
hsOfficePersonReferrer(newHolderPerson),
|
hsOfficeContactReferrer(newContact),
|
||||||
hsOfficeContactReferrer(newContact)]
|
hsOfficePersonReferrer(newHolderPerson)]
|
||||||
);
|
);
|
||||||
|
|
||||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
call leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
|
@ -65,8 +65,8 @@ begin
|
|||||||
hsOfficeSepaMandateReferrer(NEW),
|
hsOfficeSepaMandateReferrer(NEW),
|
||||||
permissions => array['SELECT'],
|
permissions => array['SELECT'],
|
||||||
incomingSuperRoles => array[
|
incomingSuperRoles => array[
|
||||||
hsOfficeBankAccountAdmin(newBankAccount),
|
|
||||||
hsOfficeRelationAgent(newDebitorRel),
|
hsOfficeRelationAgent(newDebitorRel),
|
||||||
|
hsOfficeBankAccountAdmin(newBankAccount),
|
||||||
hsOfficeSepaMandateAgent(NEW)],
|
hsOfficeSepaMandateAgent(NEW)],
|
||||||
outgoingSubRoles => array[hsOfficeRelationTenant(newDebitorRel)]
|
outgoingSubRoles => array[hsOfficeRelationTenant(newDebitorRel)]
|
||||||
);
|
);
|
||||||
|
@ -204,7 +204,7 @@ class TestCustomerControllerAcceptanceTest {
|
|||||||
.statusCode(403)
|
.statusCode(403)
|
||||||
.contentType(ContentType.JSON)
|
.contentType(ContentType.JSON)
|
||||||
.statusCode(403)
|
.statusCode(403)
|
||||||
.body("message", containsString("insert into test_customer not allowed for current subjects {customer-admin@yyy.example.com}"));
|
.body("message", containsString("ERROR: [403] insert into test_customer not allowed for current subjects {customer-admin@yyy.example.com}"));
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
|
|
||||||
// finally, the new customer was not created
|
// finally, the new customer was not created
|
||||||
|
Loading…
Reference in New Issue
Block a user